Wednesday, October 29, 2008

It's about the hall. That's where it happens.

As mentioned previously, I was at a great blacksmith conference a couple of months ago. Not mentioned was the fact that they missed one key element, one that most conferences miss: some of the most valuable information comes from the side conversations, not always from the planned presentations.  This is true in almost every conference I have attended, from IT and security events to auto dealer conventions, large events to small- the schedules and facility hinder impromptu discussions instead of encouraging them.  I understand that the event organizers are trying to put on great events packed with content, but they seem to miss the fact that attendees are a key part of the event, not just passive observers.

One shining exception is PodCamp Boston.  Last year, an impromptu gathering in the hall was one of the most significant social media events of the year- this year "the hall" was extended into a large room with plenty of tables and chairs (and power outlets and wireless Internet access) and people were encouraged to use the space for:

  • follow up to presentations
  • informal meetings on topics not covered in scheduled events
  • general socializing and networking
  • putting what they learned to work immediately
  • whatever else seemed appropriate

To their credit, DefCon did have speaker rooms for follow-up after presentations this year, but they weren't always readily accessible, and they were only available for a limited time after presentations.  On the other hand, Black Hat didn't even have enough hall to use as a hall this year.

So, how do we do this better?  It needs to be easy to have a productive side conversation without disturbing presentations or other attendees, and that means convenient space needs to be readily available- ideally with plenty of power outlets and wireless Internet access.  The event schedule needs to allow enough time to pause briefly between sessions and not force attendees (and speakers) to sprint from one room to another. And everyone needs to be encouraged to use the resources available to get the most out of the event.

The evening events at SOURCE Boston this year produced some great conversations, and they are making additional space available during the conference next year to facilitate more- now we need to spread the word and hope more events recognize the value of "the hall".

[Full Disclosure bit- I am a SOURCE Boston volunteer]



Tuesday, October 28, 2008

Conferences and Road Trips

So, RSA Europe is this week, Halloween is Friday and ChicagoCon is this weekend- then into the holiday season. But it isn't too early to start thinking about next year's events-

I am working on Road Trips for a couple of these, likely Shmoocon and Source.  Details to come, film at eleven, etc.



Friday, October 24, 2008

I just don't get it.

I just don't get it. Microsoft issues a critical patch out of cycle and people are running around like mad, the sky is falling and stuff- but every month we deal with up to a dozen patches and take it in stride.  Yes, there are exploits in the wild. Yes, it could be ugly if something exploiting this got loose in your network.  We have the tools to make this relatively painless, so what's the problem?

I suppose there may be situations where the patch breaks things, but since this seems to overlap a previous patch- probably not too many.  I know reboots of some systems have to be scheduled and can be tricky to arrange. 

I suppose it is even possible that there are networks without patch management tools, but there isn't really an excuse for that in most environments.  I even have a workaround for this one- grab an evaluation copy of some nice patch management software and use it.  Really, some are pretty simple to set up and run.  I have been a big fan of Shavlik's tools for many years, if you don't know where to look, start there.  You just need a spare machine running Windows 2000/XP/2003/2008 (but not Vista)- and that's right, it doesn't have to be a server OS.  After you scan your network and do some test deployments, schedule the rest of the deployments and relax.  Pay attention, but relax.  And when that's done, scan your network and see what else needs patching.  Any of the commercial tools do more than just Windows OS patches, (Shavlik really shines here) and some can also manage application deployment- so testing the trial version may show you enough to justify the expense of buying the product even in these trying times.

I could even go off on the Patch Management vs. Vulnerability Scanning rant, but that's a post for another day.



Thursday, October 16, 2008

Security Twits Road Trip Photos

Sunset on the highway 

Photos and video are out on the Security Twits Road Trips Flickr Group.  A few more photos and videos should be up soon.

Join us for the next trip?



Tuesday, October 14, 2008

Day-Con II Wrap-up

Day-Con II was great, and I'm already looking forward to next year.  Staring with Tyler Durden's "Viral Art: Writing a Blender Virus" and Robert Hensing's "Targeted Attacks" on Friday night, the event began with solid technical content- and it continued throughout the day on Saturday.  A full list of presenters and abstracts can be found here.  It is hard to pick out high points- several members of the ERNW team gave very good presentations, the lovely and talented Chris Hoff reprised his "Four Horsemen" talk, and many more.  And there was the ninja- who gave his presentation without speaking (he used text-to-speech synthesis to read slides and notes, and used his katana as a pointer).

Then there was the after-party.  If you missed it, you missed something out of the ordinary.  Just ask the Flabongo.

Of course, getting there is half the fun, but that is covered in my Security Twits Road Trip posts, a summary to come soon.



Saturday, October 11, 2008

We made it to Day-Con

We made it to Day-Con II, saw some very good presentations this evening, and are ready for the "main event" on Saturday.  Photos from today's drive are at the link in the previous post- starting with a lovely sunrise over Best Buy.


Thursday, October 9, 2008

Security Twits Road Trip

We're on the road.  Well, actually, we're in the parking lot.  Somewhere in Sterling, Virginia.  The day started out rainy, but after picking up the first crew member we fueled up the RV and then hit Starbucks to fuel up ourselves, then the sun came out.  Either that, or the caffeine kicked in and my eyes opened.  The splendor of Interstate 95 in the fall... oh nevermind- we drove more or less south most of the day.  Photos over there at Flickr.nj

Astaro is sponsoring this inaugural Security Twits Road Trip, it wouldn't be happening without them.  (Thanks boss!)






Tuesday, October 7, 2008

The Internet is not broken again.

That's right, in spite of what some have said about the Louis/Lee/Sockstress- Latest Thing to Break the InternetTM, the Internet is not broken again.

The Internet is still broken. Broken again implies the existence, however brief, of a state of unbroken-ness, and that is just silly. 

But, even though it is broken, bus it still works.  Like one of the busses you see in travelogues of impoverished foreign lands, we all know the Internet is unsafe and could break at any minute- but everyone (including the thieves) hopes the bus keeps on trucking, because we need it to.  So, until the Internet really does fall off a cliff on a winding mountain road- you, I and everyone else in IT and security will keep putting on our coveralls and keep playing mechanic to the Internet. And hoping for the best.



Into the Breach

I am not inclined towards book reviews, and my thoughts on user education tend to be somewhat fatalistic (I'm a big fan of Robert Heinlein's quote: "Never try to teach a pig to sing; it wastes your time and it annoys the pig") but here goes...

I just finished reading Michael Santarcangelo's book, "Into the Breach", a small volume, heavily footnoted, with a unique view of information security. Michael, the "Security Catalyst", offers a pragmatic approach to security which focuses on many of the overlooked aspects of security programs- little details, like the people who have to make it work, and the impact of the "security process" in those people's ability to do their jobs.

Michael's approach is actually a bit conspiratorial, based on getting support from the trenches with crazy ideas- ideas revealed in quotes like these:

"Make it easy for people to do the right thing"

"Efforts can be evaluated with a simple question: Is this going to make it easier for people to do their jobs?"

But he isn't naive about it, Michael recognizes that:

"Keep in mind that when an executive or outsider asks questions about how people do their jobs, the answers given may not be accurate"

"What people do when no one else is watching ultimately decides when and how technology is going to be used and information protected"

Of course, there are no easy answers, and there really has to be a desire and commitment to really improve- if all a company wants to do is fill some checkboxes, nothing will help. I tend to be a little cynical, so I wonder how many companies really want to change, but those that do would be well served to consider Michael's advice.

Besides the book, Michael has a lot going on, he has done his own podcast and does the Security Roundtable Podcast with Martin McKeay, he hosts the Security Catalyst Community, and now Catalyst on Tour (where he packs the family into their RV and tours the country for his consulting and speaking engagements). He takes the Catalyst moniker seriously, so if you get a chance to meet him, talk to him and see where the conversation leads.


Monday, October 6, 2008

Well, that's awkward.

So, yeah- for years I have recommended Security Now to people interested in network security.  I did put an asterisk next to the podcast the last time I ran down my podcast list, but I still recommended it.  I may scream at the dashboard of my faithful Jetta when Steve Gibson's voice comes out of the speakers saying things like cross-site request forgery is the same thing as cross-site scripting, but I get that to his target audience, both fall into the broad category of "scripting in browsers can do bad stuff"- so even though it infuriates me, I get over it.  Overall, the show gets generally accurate information out to an audience in need of education.

[NOTE: Steve corrected himself about CSRF in SN Episode 166]

But now, I have a problem.  You know where I work and that my employer and Security Now have the longest running advertising relationship in podcasting.  It is a good relationship for both Astaro and Security Now, but I'm in an uncomfortable spot now because Steve Gibson screwed up royally, and Leo LaPorte let it stand.

In the latest episode, Steve talked about the Latest Thing to Break the InternetTM, the Louis/Lee Sockstress TCP DoS attacks- and got some things wrong and slighted the journalist who had the scoop on the story, Brenno deWinter.  I was lucky enough to meet Brenno at DefCon this year after one of his great presentations, and we have stayed in touch since then (primarily via the magic of Twitter). 

I listened to Brenno's podcast as soon as I found out about it (via Twitter, of course), then listened to Security Now a couple of days later.  I had to go back and listen to Brenno's  podcast again, because Steve and I seemed to have heard similar, but significantly differing things.  I don't pretend to know much of anything, certainly nowhere near as much about TCP/IP and network-based attacks as Steve Gibson- but I really think he got a few things wrong.  I'll ask you to listen to both shows if you are interested in judging for yourself, but I think the one thing that both Steve and Leo got completely wrong was not crediting Brenno for his work in the interview and podcast (or CIO article, or the research that went into everything).  That is just not right, especially from Leo, who has been such a driving force in podcasting and knows about the world of journalism.

The show notes at GRC now reflect a little more complete and accurate version of things, and credit Brenno- but the podcast is all that most people get, so I hope Steve "tidies up" a few things at the beginning of the next show.

So, yeah- listen to Security Now, just make sure you apply the appropriate filters for your own knowledge level, and do a little follow up yourself when it seems appropriate.  And roll up the windows in your car before you yell at Steve and Leo, your fellow commuters do not take kindly to being stuck in traffic next to raving lunatics. Or so I have heard.



Even Homer Simpson doesn't trust e-voting

Sunday, October 5, 2008

CiderDays Sweet and Hard Cider Festival

This *really* has nothing to do with security, but is one of the things I really look forward to every year.  Great people, a good time, interesting conversations, great food and drink- at the CiderDays Sweet and Hard Cider Festival in Franklin County Massachusetts.

See you there-



Friday, October 3, 2008

Pirates, continued

Another quick post- the latest news on those troublesome Somali pirates is that they may be willing to accept "only" five million dollars in ransom for the ship full of tanks and other weapons and the remaining crew, but everyone is bickering and no real progress is being made.

And, to add a little Cold War-style pressure to the situation, the Russian Navy has dispatched a frigate to the Somali coast.  That should calm everyone down.  The good news is that they will probably act before the US Navy, thus vaporizing the pirates and a potential PR nightmare for the US in one shot (so to speak).

Again, no relevance to Information Security, we never hide from problems until they explode- and we would never let giant superpowers in our industry get into uneasy standoffs.



California makes it a crime to 'skim' RFID tags

Just a quick rant: An article over at Network World reports that California makes it a crime to 'skim' RFID tags. pillory

Yes! Another stupid and pointless law.  Since the potential misuse of a cloned RFID is to commit fraud, theft or some other crime, isn't this redundant?  And how about making it illegal to make stupid and vulnerable "security" products?  At least bring back the pillory for companies who write their own crypto and/or implement crypto poorly?  Please?  I want to run the rotten tomato concession stands.